在Rails中使用有关密码处理的API来提高Android应用程序的安全性
[英]Improve the security of an Android application using an API in Rails regarding password handling
问题描述
I'm new at my job and I'm in charge of improving an Android app and the API this app use because the last developer left the company. 
我是新手,负责改善Android应用程序和该应用程序使用的API,因为最后一位开发人员离开了公司。
Right now the app is pretty small, according to Google Play Store less than 500 people have installed it, but something that worries me is that I realized that the guy who developed this app in Android saved the passwords of the users in the phone in plain text with localStorage.setItem , then everytime an user wants to log in he recover the password with localStorage.getItem and send it to the API. 目前,该应用程序很小,根据Google Play商店的安装,只有不到500人安装了该应用程序,但令我感到担忧的是,我意识到用Android开发此应用程序的人将用户密码保存在手机中使用localStorage.setItem文本,然后每次用户想要登录时,他使用localStorage.getItem恢复密码并将其发送到API。 In the Rails API the password is handled much more securely, but he made the authentication with a GET request (honestly, he used GET for everything, editing resources, creating resources, etc.), and although he used HTTPS, the API could also accept HTTP requests. 在Rails API中,密码的处理更加安全,但是他使用GET请求进行身份验证(老实说,他使用GET进行所有操作,编辑资源,创建资源等),尽管他使用HTTPS,但该API也可以接受HTTP请求。
I'm no security expert, but obviously this is pretty bad... 我不是安全专家,但是显然这很糟糕...
What can I do in the short term to improve the security of this application? 短期内我该怎么做才能提高此应用程序的安全性?
- For now I made the API to only accept HTTPS requests. 现在,我使该API仅接受HTTPS请求。
- I'm planning in change the GET requests for POST when appropriate. 我打算在适当的时候更改POST的GET请求。
- I also plan to save the Hash of the password when the user sign up and then use this Hash like if it were the real password. 我还计划在用户注册时保存密码的哈希,然后像使用真实密码一样使用此哈希。
As I said, I'm not an expert in security, but I do not want to do things as bad as the previous developer, so I want to hear more opinions, what else can I do to improve the security of the application in Rails and Android? 就像我说的那样,我不是安全专家,但是我不想做像以前的开发人员一样糟糕的事情,所以我想听听更多的意见,以及在提高Rails中应用程序的安全性方面我还能做些什么?和Android? How can I handle sensitive information more carefully? 如何更仔细地处理敏感信息?
Greetings. 问候。
1 个解决方案
解决方案1
0 2018-10-08 03:09:34
This is not the worst issue in the world, the password should be securely transmitted over https. 这不是世界上最严重的问题,密码应通过https安全传输。 The main problem is it is impossible to invalidate sessions without changing your password. 主要问题是不更改密码就不可能使会话无效。 Say you login on a device and then later from another device you want to log out the first one but you don't have access to the first device than you are unable to log out the first device without changing your password. 假设您先登录一台设备,然后再从另一台设备上注销第一台设备,但是您无权访问第一台设备,因为您无法在不更改密码的情况下注销第一台设备。 Using a hashed password stored on the client is no better because the hash has now become the password. 使用存储在客户端上的哈希密码并没有什么好处,因为哈希现在已成为密码。
How it should be done and how most websites do it is you send your username/password to the login api and the login api returns an auth token. 应该怎么做以及大多数网站是怎么做的,您将用户名/密码发送到登录api,并且登录api返回一个auth令牌。 The auth token is then used to authenticate all api requests from now on. 从现在开始,使用auth令牌对所有api请求进行身份验证。 The benefit of this is the auth token can be invalidated by the server and the session expires which blocks the device from accessing the api until it has logged in again. 这样做的好处是,服务器可以使auth令牌无效,并且会话到期,这会阻止设备访问api,直到再次登录为止。
One popular library for this is devise_token_auth which handles all of this for you. 其中一个流行的库是devise_token_auth ,它可以为您处理所有这一切。
But if your app has no way to list the active sessions and invalidate them then you gain nothing from this. 但是,如果您的应用无法列出活动会话并使它们无效,那么您将一无所获。 Again, sending the password through https to your server is not particularly unsafe. 同样,通过https将密码发送到服务器并不是特别不安全。 An apps private storage area can not be accessed by other apps and if the device is compromised so this area is not safe then there is nothing you can do anyway. 一个应用程序的专用存储区域无法被其他应用程序访问,如果设备受到损坏,因此该区域不安全,那么您将无能为力。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.